Confidentiality: good practice in handling patient information

1 Confdentiality: good practice in handling patient information Confdentiality: good practice in handling patient information The duties of a doctor registered with the General Medical Council Patients must be able to trust doctors with their lives and health. To justify that trust you must show respect for human life and make sure your practice meets the standards expected of you in four domains. Knowledge, skills and performance nMake the care of your patient your frst concern. nProvide a good standard of practice and care. lKeep your professional knowledge and skills up to date. lRecognise and work within the limits of your competence. Safety and quality nTake prompt action if you think that patient safety, dignity or comfort is being compromised. nProtect and promote the health of patients and the public. Communication, partnership and teamwork nTreat patients as individuals and respect their dignity.

2 LTreat patients politely and considerately. lRespect patients right to confdentiality. nWork in partnership with patients. lListen to, and respond to, their concerns and preferences. lGive patients the information they want or need in a way they can understand. lRespect patients right to reach decisions with you about their treatment and care. lSupport patients in caring for themselves to improve and maintain their health. nWork with colleagues in the ways that best serve patients interests. Maintaining trust nBe honest and open and act with integrity. nNever discriminate unfairly against patients or colleagues. nNever abuse your patients trust in you or the public s trust in the profession. You are personally accountable for your professional practice and must always be prepared to justify your decisions and actions. Confdentiality: good practice in handling patient information Published January 2017.

3 Came into effect 25 April 2017. This guidance was updated on 12 October 2017. We updated paragraphs 67 and 68 to refer to the patient s and the public interest in maintaining confdentiality, rather than patients and the public interest in maintaining confdentiality. This guidance was updated on 25 May 2018 to refect the requirements of the General Data Protection Regulation and Data Protection Act 2018. You can fnd the latest version of this guidance on our website at General Medical Council | 01 02 | General Medical Council Contents Confdentiality: good practice in handling patient information Paragraph(s) Page(s) About this guidance Other materials available Ethical and legal duties of confdentiality Acting within the law The main principles of this guidance Disclosing patients personal information .

4 A framework When you can disclose personal information Disclosing information with a patient s consent Disclosing information when a patient lacks the capacity to consent Disclosures required or permitted by law Disclosures approved under a legal process Disclosures in the public interest Disclosures prohibited by law Data protection law Flowchart 8 9 1 4 10 5 7 11 8 12 9 25 13 21 9 12 13 13 15 14 15 16 16 17 19 16 20 21 17 22 23 18 24 19 25 19 20 21 General Medical Council | 03 Confdentiality: good practice in handling patient information Paragraph(s) Page(s) Using and disclosing patient information for direct care 26 49 22 29 Sharing information for direct care 26 33 22 24 Implied consent and sharing information for direct care 27 29 22 23 patient objections to sharing information for their own care 30 31 23 24 If a patient cannot be informed 32 33 24 Sharing information with those close to the patient 34 40 24 26 Establishing what the patient wants 35 36 24 25 Abiding by the patient s wishes 37 38 25 Listening to those close to the patient 39 40 26 Disclosures about patients who lack capacity to consent 41 49 26 29 Considering the disclosure 44 47 27 28 If a patient who lacks capacity asks you not to disclose 48 49 29 Disclosures for the protection of patients and others 50 76 30 36 Disclosing information to protect patients 50 59 30 32 Disclosing information about

5 Children who may be at risk of harm 51 30 Disclosing information about adults 04 General Medical Council |Confdentiality: good practice in handling patient information Paragraph(s) Page(s) who may be at risk of harm 52 30 Legal requirements to disclose information about adults at risk 53 54 30 31 Disclosing information to protect adults who lack capacity 55 56 31 The rights of adults with capacity to make their own decisions 57 59 32 Disclosing information to protect others 60 76 32 36 Legal requirements to disclose information for public protection purposes 61 33 Disclosing information with consent 62 33 Disclosing information in the public interest 63 70 33 35 Responding to requests for information 71 72 35 36 Disclosing genetic and other shared information 73 76 36 Using and disclosing patient information for secondary purposes 77 116 38 48 Anonymised information 81 86 39 40 The process of anonymising information 84 85 39 40 Disclosing anonymised information 86 40 Disclosures required by statutes or the

6 Courts 87 94 40 42 Disclosure required by statute 87 89 40 41 Disclosing information to the courts, or to obtain legal advice 90 94 41 42 04 | General Medical Council General Medical Council | 05 Confdentiality: good practice in handling patient information Paragraph(s) Page(s) Consent 95 42 Disclosures for health and social care secondary purposes 96 114 42 47 Clinical audit 96 98 42 43 Disclosures for fnancial or administrative purposes 99 43 The professional duty of candour and confdentiality 100 101 44 Openness and learning from adverse incidents and near misses 102 44 Disclosures with specifc statutory support 103 105 44 Public interest disclosures for health and social care purposes 106 112 45 47 Ethical approval for research 113 114 47 Requests from employers.

7 Insurers and other third parties 115 116 47 48 Managing and protecting personal information 117 139 49 55 Improper access and disclosure 117 121 49 50 Knowledge of information governance and raising concerns 122 124 50 Processing information in line with data protection law 125 127 51 52 Records management and retention 128 130 52 The rights of patients to access their own records 131 52 06 General Medical Council |Confdentiality: good practice in handling patient information Paragraph(s) Page(s) Communicating with patients 132 133 52 Disclosing information after a patient has died 134 138 52 54 Legal annex 56 Sources of law on confdentiality, data protection and privacy 56 The common law Data protection law (UK) 57 60 56 Human Rights Act 1998 (UK) 62 Freedom of information Acts across the UK 63 Computer Misuse Act 1990 (UK) 63 Regulation of healthcare providers and professionals 64 65 Laws on disclosure for health and social care purposes 66 Health and Social Care Act 2012 (England) Health and Social Care (Safety and Quality) 66 Act 2015 (England) 66 Health and Social Care (Control of Data Processing) Act 2016 (Northern Ireland) 67 Section 251 of the NHS Act 2006 (England and Wales)

8 67 69 Statutory restrictions on disclosing information about patients 69 70 Gender Recognition Act 2004 (UK) 69 06 | General Medical Council General Medical Council | 07 Confdentiality: good practice in handling patient information Paragraph(s) Page(s) Human Fertilisation Act and Embryology Act 1990 (UK) National Health Service (Venereal Diseases) Regulations 1974 and NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 200070 70 Endnotes 71 78 Confdentiality: good practice in handling patient information About this guidance Our core guidance for doctors, good medical practice , makes clear that patients have a right to expect that their personal information will be held in confdence by their doctors.

9 This guidance sets out the principles of confdentiality and respect for patients privacy that you are expected to understand and follow. This guidance outlines the framework for considering when to disclose patients personal information and then applies that framework to: a disclosures to support the direct care of an individual patient b disclosures for the protection of patients and others c disclosures for all other purposes. This guidance also sets out the responsibilities of all doctors for managing and protecting patient information . In this guidance , we use the terms you must and you should in the following ways. a You must is used for an overriding duty or principle. b You should is used when we are providing an explanation of how you will meet the overriding duty. c You should is also used where the duty or principle will not apply in all situations or circumstances, or where there are factors outside your control that affect whether or how you can follow the guidance .

10 08 | General Medical Council Confdentiality: good practice in handling patient information You must use your judgement to apply the principles in this guidance to the situations you face as a doctor, whether or not you hold a licence to practise and whether or not you routinely see patients. If in doubt, you should seek the advice of an experienced colleague, a Caldicott or data guardian1 or equivalent, a data protection offcer, your defence body or professional association, or seek independent legal advice. You must be prepared to explain and justify your decisions and actions. Only serious or persistent failure to follow our guidance that poses a risk to patient safety or public trust in doctors will put your registration at risk. Other materials available Further explanatory guidance is available on our website explaining how these principles apply in situations doctors often encounter or fnd hard to deal with.